RFR: 8285827: Describe the keystore.pkcs12.legacy system property in the java.security file
Weijun Wang
weijun at openjdk.java.net
Fri Apr 29 13:31:46 UTC 2022
On Fri, 29 Apr 2022 13:17:55 GMT, Sean Mullan <mullan at openjdk.org> wrote:
>> How about this?
>>
>> To work with legacy PKCS #12 tools that does not support the new algorithms,
>> the system property "keystore.pkcs12.legacy" can be set
>> which will override the properties defined here with old settings.
>> This system property is equivalent to
>
> I think the text above might still make some users concerned that they should always set this property.
> Maybe we can be less specific, and just say: "If you encounter compatibility issues with software that doesn't support the stronger algorithms, the system property ..."
Can we say both? All these properties are only used when creating the file (key-related ones when creating the key). If a compatibility issue already happens, users need to downgrade their keystore.
So, the full text will be something like
To work with legacy PKCS #12 tools that does not support the new algorithms,
the system property "keystore.pkcs12.legacy" can be set
which will override the properties defined here with old settings.
If you encounter compatibility issues with software that doesn't support the stronger algorithms,
you can downgrade the keystore with
keytool -J-Dkeystore.pkcs12.legacy -importkeystore -keystore ks ...
I'll double check if the command can indeed downgrade key algorithms as well.
-------------
PR: https://git.openjdk.java.net/jdk/pull/8452
More information about the security-dev
mailing list